Security Now 1013: Chrome Web Store is a mess

Leo Laporte

It's time for Security Now. Steve Gibson is here. We'll talk about the US response to the UK's request that Apple stop encrypting your data. Why is everybody calling this a backdoor? Steve has got a rant. He doesn't like that word and he's looking for a better one. We'll also talk about Toad. Did you know that Toad stands for Telephone Oriented Attack Delivery? What's Google doing to stop that? And then we will talk a little bit about what a terrible job Google's doing managing the Chrome Web Extension Store. When you hear this, you're gonna. You won't believe it. Coming up on Security now.

Steve Gibson

Podcasts you.

Leo Laporte

Love from people you trust. This is Twit. This is Security now with Steve Gibson. Episode 1013 recorded Tuesday, February 18, 2025 the Chrome Web Store is a mess. It's time for Security now, the show where we cover the latest security news, privacy news, with a gentle dollop of science fiction and fun with this guy right here, maybe a little math, even. Steve Gibson from grc.

Steve Gibson

Hello my friend, it's great to see you. And actually it's funny you should mention Sci Fi. We are going to swing in briefly and I'm going to update our listeners on the recommendations that I accepted from ChatGPT when I asked it for, as we may remember, about four or five weeks ago. I said here are the things that I've read that I've enjoyed. What else do you recommend? And first of all, it guessed a bunch that I hadn't told it about that I also have loved in the past and recommended some others. Anyway, so we're going to talk about that now. I should explain that the title of today's podcast, Chrome Web Store is a Mess is not my title. It's the title given to a jam packed with information and experience blog posting by a very well known Chrome and more broadly, web extension developer who's been active for more than 20 years, believe it or not, before this podcast began. Wow. So that was his title. And by the time we're done, rather than people saying, oh yeah, well it's a mess, everyone is going to know why. Because. And I contend that understanding the reason why is much more useful than just saying, you know, stating it as a fact. So a lot of really interesting information which is going to leave us with some questions also about why it's a mess, because it's a bigger mess than it arguably needs to be. I mean, like provably so what's Google up to? Because it's not like they lack resources anyway. So that's our main topic for this episode. 10, 13 for here we are in the middle of February already. We're gonna talk about US lawmakers responding to last week's topic or discussion point, which was the UK's outrageous demand about Apple's encryption. Also, I wanna just touch on what exactly do we mean when we say backdoor? What is a backdoor?

Leo Laporte

Careful.

Steve Gibson

Can a backdoor. Yeah. Can a backdoor not be a secret? Because I don't think so. Also, we have highlights from last week's Windows patch. Tuesday, a look at Ransom Hub, the latest king of the ransomware hill. We've not taken a close look at one of these operations for a while because we kind of OD'd on it a few years ago. But there's some interesting stuff here. We also have something called toad, which stands for Telephone Oriented Attack Delivery, which we're gonna describe. We have Texas versus Deepseek, which is now a thing. The disabling of Apple's restricted mode. And the question now this is not I speaking, where did I put that 800 million in Bitcoin? My Bitcoin is not worth 800 million. But there is some guy whose is. As I mentioned, we've got the Sci Fi Author update and then a deep dive into the misoperation of Chrome's critically important web store. 90% capture of the market has Chrome, and extensions are an important part of that ecosystem. But installer beware, because we're going to really understand what's going on there by the time we're done. And of course, a one of our great pictures of the week. Thanks to our terrific listeners.

Leo Laporte

I only can see some peanuts at the top of the screen, so I haven't seen the whole thing yet. So that would say.

Steve Gibson

That would suggest that you've seen the caption I gave it, lest there be any doubt.

Leo Laporte

So, no, that's not exactly a giveaway.

Steve Gibson

No, it's not. That was my point. That's why I said it. Lest there be any doubt. And then you see a little row of peanuts. Yes, the punchline is down further.

Leo Laporte

We'll scroll up together in just a moment with security now. But first, a word from our first sponsor of the day, those great folks at Veeam. When I talk about Veeam, I think, how could everybody not be using this? We talk all the time. In fact, we're going to talk some more about ransomware and companies. It's amazing. Pay ransomware malefactors to get their data back. It always Makes me think, aren't you paying attention? Aren't you backing your data up? Turns out it's not as easy as it sounds. But without your data, your customer's trust turns to digital dust. I guess it is easy, but you have to use Veeam. Veeam Data protection and ransomware recovery ensures that you can secure and restore your enterprise data wherever and whenever you need it. And no matter what happens, Veeam is the number one global market leader in data resilience. That's probably why 77% of the Fortune 570, more than three quarters of the Fortune 500 trusts Veeam to keep their businesses running. When digital disruptions like ransomware strike, those businesses won't be in the headlines. Veeam lets you back up and recover. You think this would, like, be obvious, but it's hard to do back up and recover your data instantly. And the reason it's hard is because your data's all over, right across your entire cloud ecosystem. Veeam actually stops ransomware before it strikes by proactively detecting malicious activity. That's a huge help. And then, and this is really important again, every company should have this, but a lot don't. Veeam will help remove the guesswork by automating your recovery plans and policies. You do have a recovery plan policy, right? Plus you'll get real time support should the worst happen from ransomware recovery experts. I shouldn't have to say it. Data is the lifeblood of your business. It's time to get data resilient with Veeam. V double E A m. Go to veeam.com to learn more. V E E A M dot com to learn more. And if you don't, I tried. I tried to save your company. I tried. Veeam.com all right, Steve, let's scroll up together. The picture of the week with the.

Steve Gibson

Caption, lest there be any doubt.

Leo Laporte

Lest there be any doubt. A well known anti allergy warning, I guess, right?

Steve Gibson

That's right. You definitely want to be notified if what you're eating contains peanuts, if you like. If the equipment ever processed peanuts in the past, if peanuts were being eaten by someone walking down the corridor near you.

Leo Laporte

I was on an airplane where the flight attendant said, we're taking all your peanuts back. There's a kid on board who's allergic, deathly ill. So we're going to come around and collect your peanuts. So even in the air, if you're really allergic, I guess, yeah.

Steve Gibson

So for those who don't have the benefit of Video. We have a large bin, probably a like a self serve bin of peanuts in the shell. So they're those clearly peanuts. It's very, you know, remember the old Planters guy that was like a big peanut. Yeah, yeah, Mr. Peanut. Thank you. Yeah. Like with there. There's actually two peanuts in most shells. You hope.

Leo Laporte

Sometimes there's three. You never know.

Steve Gibson

Yeah, that's a. Yeah. Anyway, we got a big bin of that, leaving no doubt in anyone's mind what this contains. And there is of course a warning sign in front of it letting everyone know that this product contains peanut.

Leo Laporte

Really? Well, that's it could be good news if you like peanuts.

Steve Gibson

This product is peanuts.

Leo Laporte

Yes, there you go. Yeah, this product is peanuts. Okay.

Steve Gibson

So U.S. lawmakers have responded last Thursday and gadgets gave their updated coverage of the UK decryption order. That headline US lawmakers respond to the UK's Apple encryption backdoor request. And the subhead was Senator Ron Wyden and Representative Andy Biggs said the order is quote, effectively they're Speaking of the UK's order effectively a foreign cyber attack. Wow. Waged through political means.

Leo Laporte

They're not far wrong. I mean it affects Americans data too.

Steve Gibson

Yeah. So what Engadget said was the UK's shockingly intrusive order for Apple to create a backdoor into users encrypted icloud data doesn't only affect Brits. It could be used to access the private data of any Apple account holder in the world, including Americans. Less than a week after security experts sounded the alarm on the report, the US Congress is trying to do something about it now. Actually if the US Congress was able to do anything, that would be good. They continued. The Washington Post reported on Thursday that in a rare show of modern Capitol Hill bipartisanship, Senator Ron Wyden, who, who is a Democrat, and Representative Andy Biggs, a Arizona Republican, wrote to the new National Intelligence Director Tulsi Gabbard asking her to take measures to thwart the UK's surveillance order, including limiting cooperation and intelligence sharing if the country refuses to comply. I mean we're talking about breaking our allegiance with the UK over this. You know, allegiance as in ally. Biggs and Wyden wrote, quote, okay, so this is like the official from Congress, quote, if Apple is forced to build a backdoor in its products, that backdoor will end up in Americans phones, tablets and computers, undermining the security of Americans data as well as of the countless federal, state and local government agencies that entrust sensitive data to Apple products. The US government must not permit what is effectively a foreign cyber attack waged through political means, unquote. The pair Wright Engadget told Gabbard that if the UK doesn't retract its order, she should, quote, reevaluate US UK cybersecurity arrangements and programs as well as US intelligence sharing with the uk, unquote. Wyden sits on the Intelligence the Senate Intelligence Committee, and Biggs is on the House Judiciary Committee and chairs the Subcommittee on Crime and Federal Government Surveillance. So those are the right two guys. Wyden began circulating a draft bill that, if it were passed, could at least make the process harder for us. For UK authorities, the proposed modification to the 2018 Cloud act would make information requests to US based companies by foreign entities more onerous by requiring them to first obtain a judge's order in their home country. In addition, it would forbid other countries like say, the uk, from demanding changes in encryption protocols to the products or services of companies in the us. Request challenges would also be given jurisdiction in US rather than in foreign courts. So, you know, basically if we create a law demanding the UK demanding that changes in encryption products are basically forbidden, then whoops, okay. The UK order, first reported by the Washington Post and of course this is what we discussed last week, requires Apple to create a backdoor into its Advanced Data Protection, a feature introduced in iOS 16.2 back in 2022. Advanced data protection applies end to end encryption to many types of icloud data, including device backups, messages, content, notes and photos, making them inaccessible even to Apple. The order demands a blanket ability to access a user's fully encrypted data whenever and wherever the target may be located. The order was issued under the UK's here comes the word Investigatory Powers act of 2016, known not so affectionately as the Snoopers Charter, which expanded the electronic surveillance powers of British intelligence agencies and law enforcement. It would be a criminal offense for Apple to publicly confirm receiving the order so like, they can't talk about it. So the company hasn't commented rights and gadget on the matter. Security experts warn that implementing this backdoor would needlessly expose anyone with any Apple account to foreign spying, hackers and adversarial countries. Apple received a draft of the order last year when UK officials debated the changes. In a written submission protesting them, the company said the planned order could quote quote could be used to force a company like Apple that would never build a backdoor into its products to publicly withdraw critical security features from the UK market, unquote. The company can appeal to notice, but cannot use the appeal to delay compliance. Syrian Martin, former chief executive of the UK's National Cybersecurity center, told the Washington Post, quote, most experts in the democratic world agree that what the UK is proposing would weaken digital security for everyone, not just in the uk, but worldwide, unquote. Okay, now I wanted to take a moment to focus upon the use of the term backdoor, which has appeared about 20 times so far in what I've read and even in Mike in Apple's own response, which was quoted, unfortunately, its original meaning is being lost and stretched through reuse for other purposes. You know, as I noted, the term was liberally used throughout the original Washington Post article and also in Engadget's own reporting, mostly because we don't have another term like that now. In the past, I've pedantically objected to the use of the term backdoor in these cases, and I'm going to take this opportunity to be at least as pedantic about this again today, but maybe for the last time, because I'm going to have to give up. I've previously suggested that what's being asked for is a locked, yet unlockable front door. That's what they're asking for now. I suppose the trouble is that this stuff can be confusing for those who don't inhabit the security space for a living. You know, the term back door sounds bad, right? And bad is often the way someone wants it to sound when they're trying to say, oh, this is what they're asking for is bad. Well, okay, backdoor. So what's wrong with using the term backdoor? My problem is that the word needs, you know, that words in general need to have and to hold onto their meaning. And although we also see that blurring with misuse. Right. The term back door already, I want to say, has maybe, I have to say, had an extremely specific and exact meaning. You know, I mean, we've been around since its early use. It was originally used to describe any sort of security measure, bypass, and it was definitely meant to be a secret, period. A backdoor is by definition a secret. So the UK cannot possibly mandate the inclusion of a backdoor into anything, because anything mandated could never be a secret. The UK could certainly mandate that Apple have some means for complying with their demands for a user's data. And if that data was initially encrypted for the user's privacy, then Apple would need to have some means for decrypting it in order to comply with the UK's demand. But nothing about that suggests the use of any sort of backdoor. And in fact from where we are now, Apple would need to deliberately design in a new front door for which only they possess the key. Apple clearly objects to doing this and for that I salute them and has been previously mentioned Google has supported full similar end to end device to device encryption of cloud stored data from Android 9's PI edition. And in this case PI referred to a dessert rather than to pre Internet encryption, even though that's what it offered. So it had double meaning there. So if we should not refer to designed in decryption capabilities as backdoors, what should they be called? The problem is the security industry doesn't have any sufficiently pithy and engaging term for this. So backdoor it is for better or for worse, even though that isn't at all what anyone is asking for, whether they know it or not. Anyway, I did say I was going to be pedantic about this and I'm sure I haven't disappointed on that account. Every time I see the term backdoor, which again has a very specific meaning, you know, its meaning being used as a generic term for obtaining otherwise inaccessible information, I think to myself, yeah, but a backdoor is not what it is. Unfortunately that's what everybody's going to be calling it. And I think we've collectively lost control of the term.

Leo Laporte

Do you want to propose another one? I mean it's basically. They want the keys. You have talked before about Apple to.

Steve Gibson

They want Apple to be. To be. They want Apple to be holding keys. Yeah, and I mean that's really it. They want Apple to be holding keys. Apple has said we don't want to be holding keys because that, you know, we don't want that responsibility. And also we're selling the fact that we're not holding the keys. I mean that's a sales point for Apple technology.

Leo Laporte

Well, it's only for the advanced data protection version because they do hold the keys for everything else. And this is important because most Apple users do not use adp.

Steve Gibson

You and I don't.

Leo Laporte

It's a pain in the butt.

Steve Gibson

You and I don't. I can't because I still have an iPad where I wait about an hour for it to turn on. But it works, let's be clear. Kidding.

Leo Laporte

But what the UK Snoopers Charter, or the, as you say, the Investigatory Powers Act. Now you know why they call it the Snoopers Charter? Really what they're saying is we want clear text of every, of any message ever, of any file ever. We want access to it, privacy Bad privacy, bad. And, and we want to be able to, we want you to be able to give us the information should we ask for it.

Steve Gibson

We don't like encryption.

Leo Laporte

I don't want it.

Steve Gibson

We don't like encryption. We used to be able to put a wiretap on somebody and we'd get all of the content from them.

Leo Laporte

Well, we saw what happened because of Kalia that now the Chinese are in our phone system because using that back.

Steve Gibson

Door for lack of a better term.

Leo Laporte

It's up to you to come up with a better.

Steve Gibson

Okay, so here it is, here it is. You know I've asked for a caption on a photo before. So now this is our listeners challenge. You all heard that backdoor means a secret. So what would be a fun, pithy, catchy, successful term for this, for you know, an encryption bypass essentially is what we're asking.

Leo Laporte

That's what it is, isn't it?

Steve Gibson

It's an encryption bypass. Yeah.

Leo Laporte

So there is no such thing as real encryption. That's the, that's what they want. Well it'll, you've mentioned in the past you had come up with this is some years ago the notion of some sort of key escrow system that might allow this without really compromising people's privacy. Do you remember that way back when.

Steve Gibson

There are, there are a lot of work has been done. For example there are ways to take a single key and divide it up among some number of people where you need some subset of those people to provide their content in order to recreate the whole key. So I mean there's all kinds of, I mean cryptographers have solved all these problems before but when we start getting tricky and anything seems muddy, you end up like no one wanting those see Sam image hashes on their phone. They're like, they're not the images. No, no, no, we don't want anything to do with that. So I respect Apple for being very sharp edged about this. It's yes or no. It's either we cannot do it or we're not going to try.

Leo Laporte

Well the real, the real issue here, if it were just the UK saying we want that for UK traffic, traffic inside the UK for UK citizens. Apple would just say okay fine, UK citizens. You don't get advanced data protection. And that's maybe what will end up happening is the UK might back off and say okay just for the UK.

Steve Gibson

But then how do you define that border? That's the problem. It's what about a UK phone traveling outside of the UK or me, I'm.

Leo Laporte

Having a conversation with somebody from the uk.

Steve Gibson

Right.

Leo Laporte

That's my data too. So it is, it is very tricky asking for it globally, though Apple, Apple is not going to say, okay, we'll turn off advanced data protection globally. They're not going to do that.

Steve Gibson

No.

Leo Laporte

And they shouldn't.

Steve Gibson

No, not because the UK says we want the right to have access to anyone's data. No, I mean, so we've, I know, for a couple years now, right, we've been talking about and following and chronicling this, the inherent tension. In fact, it's why I dropped the development of Crypto link, which was my, you know, I mean, absolutely uncrackable cryptographic networking technology. That, that and I just decided I don't want to invest heavily in creating something that I, that the government may tell me is, I'm, is making me an outlaw.

Leo Laporte

And this is back in the Obama days.

Steve Gibson

Yeah, right.

Leo Laporte

I mean, this is. Well, before this was an issue.

Steve Gibson

So it is really good that the UK has come down like this because now, I mean, it is. What they've asked for is such overreach. So as you said so much, they're asking for complete decryption of anything they want. They need to just be told no. And the other governments who are watching this are going to go, oh, okay, well, let's not try. I mean, France, as I mentioned last week, France has got some of their own legislation moving forward through their own parliament. And if the UK just gets slapped down and says, you know, if you want to do that, we're just, you know, not going to give encryption to anybody in the uk See how your citizens like that.

Leo Laporte

And honestly, if, if our Congress asked for that in the uk, if the, if the US Congress said, oh, and we want, you know, to be able to look at anybody's conversations anywhere in the world, people in the UK be just as upset as, as ever as we are. Yeah, it's not okay. It's uk.

Steve Gibson

It's uk. I saw that coming.

Leo Laporte

There's a slogan.

Steve Gibson

That's right. Okay. So compared with last month's massive batch of software fixes, it didn't break a record. I said, what was it, 163 or something? But it was, it was a local record. February's updates last week were mild. They addressed a mere merely 63 flaws and eliminated a pair of less severe, though still actively exploited zero days in Windows. Of those 63 flaws, three were rated critical, 57 were deemed to be merely important, one was moderate, and the last two were rated as low severity. So don't be in a big hurry for that. But of course they all come as a big bundle. In addition to those 63, Microsoft also separately resolved 23 flaws over in their Chromium based Edge browser. The two resolved 0 days had CVSS of 7.1 and 7.8 respectively. The 7.1 was an elevation of privilege in Windows Storage. Microsoft's alert said an attacker would only be able to delete targeted files on a system. That's interesting. This vulnerability, they said, does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable. Thus the, you know, 7.1, it's like, well that's not good, but it's not gonna, you know, it's not a 9.8 house on fire CVSS. However, Mike Walters, the president and co founder of Action One, noted that the vulnerability could be chained with other flaws to escalate privileges and perform follow on actions that can complicate recovery efforts and allow threat actors to cover up their tracks by deleting crucial forensic artifacts. So yeah, deleting, deletion, if that's all you can do, that can still be good if you want to delete logs of you poking around in someone's system which you would otherwise not be able to delete. The second zero day having the higher CVSS of 7.8 also created an elevation of privilege vulnerability, this time in Windows. Ancillary function driver for Winsock Winsock is short for Windows sockets and it's part of the operating system's networking subsystem due to the fact that the ADF that's the ancillary function driver, ADF sysdriver is down in the kernel. The successful exploitation of this vulnerability, you know, good old networking vulnerability, would allow an attacker to obtain system privileges. So you know, yes, escalation all the way up to full system Now. A similar flaw in AFD sys was disclosed by General Digital last August after they found that it had been weaponized by North Korea's Lazarus group. A year ago In February of 2024, Microsoft plugged a Windows kernel privilege escalation flaw affecting the App locker driver, that's App ID cis that was also being actively exploited by the same group. These attack chains stand out because they, they do not rely upon the, you know, bring your own vulnerable driver, you know, by O V D approach which we've talked about like, like an old signed printer driver which has known flaws. The bad guys will bring that in. It's signed. So Windows Says, oh, a signed driver, let's load it. And then they exploit the vulnerability down in the kernel that that driver created. That's the bring your own vulnerable driver instead. What's happening here is that they take advantage of the comparatively rare security flaws that still can be found. And these two were just patched in native window drivers to eliminate the need to introduce vulnerable drivers into their targets. And really lockdown systems can even prevent, not surprisingly, the bring your own vulnerable driver, they're locked down so much they won't allow any new driver to be installed. Of course that creates lots of headaches for people who just want to use Windows a little more casually. But you can't have it both ways. Now, it's not known whether the abuse of last month's zero day is also linked to the Lazarus group. Remember, both of these drivers are zero days. They were under abuse. So somebody had found them and they were found being exploited. CISA has added both of the flaws to its known exploited vulnerabilities. That's the KEV Catalog. Their presence in sisa's KEV catalog does require federal agencies to apply patches by the 4th of March. So within like four weeks of this thing happening. So the most severe flaws addressed by Microsoft in this month's Update were not zero days. There's of course CVE 2025 and then it's 21198 that's got a CVSS of 9.0 allowing remote code execution in the so called High Performance Compute or the HPC pack. Microsoft documented that saying an attacker could exploit this vulnerability by sending a specially crafted HTTPs request to the targeted head node or Linux compute node, granting them the ability to perform remote code execution in other clusters or nodes connected to the targeted head node. Okay, so although this is bad, it wasn't known to be abused at the time of its patching. So you know, now the vulnerability is known. And Remember CVSS of 9.0 and it's a remote compute in something network remotely network accessible. So the bad guys could potentially reverse engineer the update, discover the vulnerability, weaponize it and start using it. So now would be a good time to apply this month's patches, if you haven't already. There's also an 8.1 CVSS which affects Windows LDAP, it's lightweight directory access protocol. The flaw allows an attacker to send a specially crafted request and to execute arbitrary code. Now, since that's really not good, the LDAP flaw would normally have a higher cvss. Right? Network accessible remote code execution. So what's the why only in 8.1 because it involves a race condition that has to be won in order to succeed. Even so, Ben McCarthy, the lead cybersecurity engineer at Immersive Lab, said, given that LDAP is integral to Active Directory, which underpins authentication and access control in enterprise environments, a compromise there could lead to lateral movement, privilege escalation and widespread network breaches. In other words, you know, the precursor to ransomware in your company and nobody wants that. Oh, and speaking of authentication, because that's what this, this problem was, is a very low probability of success. Authentication bypass. There's Also A CVSS 6.5 NT Landman version 2/ disclosure vulnerability which if successfully exploited would permit an attacker to authenticate as the targeted user. So, you know, not any sky is falling updates. But as usual, updating as soon as practical would be a good idea. And you know, Leo, what would be another good idea? I'm looking at this mug of coffee over here thinking that would be good.

Leo Laporte

All right, we could do that. We could take, we could take a break. This portion of security now brought to you by brand new sponsor want to welcome Legato Security. Steve, we're going to talk about Chrome extensions in a bit. Wasn't it like Christmas Eve that that attack on Chrome extensions happened? Like all the malicious Chrome. Was it Chrome extensions were uploaded or something on Christmas Eve? I remember this, you're right.

Steve Gibson

And we, we noted it because it was clearly the timing was chosen to maximize the length of time before it would probably be seen because, because the.

Leo Laporte

Security people in your company and those extensions were off for Christmas, right?

Steve Gibson

Also like a good eggnog. And so yes, so this is the.

Leo Laporte

Thing, like big companies have 24 hour monitoring. You probably, if you have a burglar alarm on your house, have 24 hour monitoring, right? No business should be their own burglar alarm, you know, because people go home for the weekend and bad guys know that Legato Security is perfect for small and mid sized businesses that want that 24 hour protection. Legato Security provides the same standard of security controls the big enterprises depend on. But you don't have to build your own internal SOC security operations center because Legato's got one now. Don't worry, they're not gonna install a bunch of their own tools. They work with everybody. So this is the beauty. Imagine 24 hour monitoring of your security posture of what's going on in your network, what's going on with your apps and your data. But you don't have to build the SOC as a recognized leader by CRN and MSSP alert in 2024. Legato Security Legato Remember this name. L E G A T O Legato Security transforms how businesses approach their cybersecurity. First of all, Legato is a technology agnostic MSSP platform, managed security service provider platform. That means they provide your business with a suite, a custom suite of security solutions tailored to your needs and your existing tools. They integrate seamlessly with your existing security infrastructure so you don't have to do some big infrastructure overhaul. They have though an incredible platform. It's called Ensemble. It's a proprietary security operations platform. So it works with all your existing tools, your firewalls and so forth. It delivers consolidated, prioritized and actionable alerts in real time. It's nice because it's a single pane of glass. It's a dashboard that says exactly, exactly what your status is, what's going well, what's not. Look, hackers don't take holidays. They love holidays. They want to work Christmas Eve. They don't stop working when you clock off, that's when they go to work. Legato Security 100% US based team provides proactive threat detection, triage and remediation. And they do it 24 7, 365 days a year in their purpose built security operations center. So your team can focus elsewhere. You can go home and have some eggnog from when it's time to clock out, but they'll work with you when it's not. From entrepreneurs to Fortune 100 companies, Legato Security creates custom MDR solutions that protect businesses so leaders can focus on growth. A recent customer says, quote, Legato Security is the only supplier that has delivered everything they said they would. We didn't have to drive them. They just get it done. Don't you want that? Legato Security isn't going to call to tell you have a problem. Hey, we, we think you got a problem. They're going to call to say we saw the problem, we fixed the problem. That's the call you want. We saw it, it's fixed, don't worry. IT and security professionals, Legado Securities, MSSP is here to help augment your security team. Don't worry, they're not there to replace them. They're going to work with you. They're the professionals you want on your team to back up your cybersecurity forces and to fortify your proactive defenses 24 7, 365 days a year. Security tools, they're great, but they're not enough. You need the expertise to back it up. See if your defenses are as strong as you think, they've got a free risk assessment available on their website to give you the information you need. I think you should check it out. Legato Security.com l, e g a t o Legato Security dot com. Brand new sponsor. I had a great conversation with these guys last week. I think it was maybe two weeks ago. Was very impressed. You could have a burglar alarm, but if somebody's not monitoring it 24 7, it's not good enough. You got it. You got to have it full time. Visit legatosecurity.com to discover how they can help you regain control and enjoy your weekends and Christmas Eve like you used to. That's Legato security dot com. L, E G A T O Legato security dot com. All right, enough. Back to the show. Steve, let's talk tech or something.

Steve Gibson

Ransom Hub.

Leo Laporte

Oh, with a U. Misspelled rant. Is it or. No, no, it is spelled with an O. Okay.

Steve Gibson

Yeah, at the.

Leo Laporte

At the top. At the top. You spelled it with you.

Steve Gibson

And I thought I did. I did notice.

Leo Laporte

That's a good way to spell it.

Steve Gibson

Yes. It's Ransom hub. So this 2024s, as in last year's top ransomware group.

Leo Laporte

Wow.

Steve Gibson

They hit more than 600 organizations.

Leo Laporte

This is the email you do not want to see.

Steve Gibson

We are the Ransom Hub. Your company servers are locked and data has been taken to our servers. This is serious. Yeah. Then they have good news. Your server system and data will be restored by our decryption tool. For now, your data is secured and safely stored on our server. Oh, so that's nice.

Leo Laporte

What a relief.

Steve Gibson

We're your backup system. Yeah, that's right. Nobody in the world is aware about the data leak from your company except you and Ransom Hub.

Leo Laporte

Oh, boy.

Steve Gibson

In other words, we got it. We encrypted it. We wiped all of yours out because obviously you're not able to hold onto it. And it's been decrypted and we haven't told anybody, so now is the time to pay.

Leo Laporte

Look at their address. Holy cow.

Steve Gibson

Yeah, well, those are Tor nodes.

Leo Laporte

Okay? So that's a guid.

Steve Gibson

Okay, yeah. So under the FAQ section of their ransom note, they have who we are. And then they've got a normal browser link and then a Tor browser link that will take you to their site on the Dark Web in order to learn about these nefarious cretins.

Leo Laporte

Well, I'm gonna go to the authorities immediately.

Steve Gibson

That's right. And then they say, wanna go to the authorities. For protection. Seeking their help will only make the situation worse. And then they go on to explain how they will be. You'll be prevented. You know, they will try to prevent you from seeking help and they're incompetent and incident reports and blah, blah, blah, blah, blah. So, yeah, and they even give a Wikipedia link to the general data protection regulations to show how you could get in trouble if you do anything except open your Bitcoin wallet to these guys. So what we have is a new and quite effective ransomware as a service, which of course is the way to do this. Now, RaaS ransomware is a service group calling themselves Ransom with an O Hub. They have risen in prominence to become last year's number one perpetrator after compromising the networks and data of more than 600 organizations worldwide. And no doubt a bunch of them were the school districts that we talked about recently. The Ransom Hub bad guys have been observed leveraging now patched security flaws in Microsoft's active directory and the. Net logon protocol to escalate privileges and gain unauthorized access to a victim's network's domain controller as part of their post compromise strategy. So you know larger organizations that have a domain controller around. Analysts at Group IB write in a report published last week that Ransom Hub has targeted over 600 organizations globally, spanning sectors including healthcare, finance, government, and critical infrastructure. This has firmly established them as the most, currently the most active ransomware group through 2024. Now, the group first surfaced exactly a year ago In February of 2024, after acquiring the source code associated with the now defunct Knight Knight, formerly known as Cyclops Ransomware, as a service group from the Ramp Cybercrime forum. Five months later, an updated version of the locker, as it's called, you know, the encryption software. The Locker was advertised on the illicit marketplace with capabilities to remotely encrypt data via the simple file transfer protocol. So sftp, the group's updated malware, comes in multiple variants that are capable of encrypting files on Windows, VMware, ESXi and SFTP servers. Ransom Hub has also been observed actively recruiting affiliates from Lock, Bit and Black cat groups as part of the partnership program.

Leo Laporte

This is very professional.

Steve Gibson

Wow. Unfortunately, indicating an attempt to capitalize on law enforcement actions targeting its rivals. Remember that we've talked about how when you get stomped on, all the rats scurry and some of them take the source code with them and set up new operations. Some of them just switch over to using like merge with other groups. In the incident, which was analyzed by Group ib, Ransom Hub unsuccessfully attempted to exploit a critical flaw impacting Palo Alto networks Pan OS devices that was using a flaw 2024 3400. And they were trying to use a publicly available proof of concept, but then they ultimately breached the victim network by means of a brute force attack against the exposed VPN service. The group IB researchers said, quote, this successful brute force attack used an enriched dictionary of over 5,000 usernames and passwords. The attacker finally eventually gained entry through a default account frequently used in data backup solutions, which then allowed them to breach the network perimeter. So don't reuse usernames and passwords from anywhere. Make your own from scratch, everybody. The initial access was then used to carry out the ransomware attack, with both data encryption and exfiltration occurring within 24 hours of the compromise. The attack weaponized two known security flaws in Active Directory 1 from 2021. Now, okay, anybody who's getting compromised today, or I should say in 2024, through an Active Directory flaw that was patched in 2021 again, I will never tell anybody, they deserve it, but wow, come on. So that was 2021 42, 278, also known as no PAC, PAC and the network the. Net logon protocol. That flaw dates from 2020, the year before. That's CVE 2020, 1472, also known as zero logon that we've talked about. And so here's a network again, just nobody is giving it any thought, any maintenance, any updates. I mean, you have to try not to have your system updated by Microsoft. It takes work for that to be the case. So yikes. And that of course allowed the attackers to seize control of the domain controller and then conduct lateral movement within and across the network. So trouble. The researcher said that, quote, the exploitation of these vulnerabilities enabled the attacker to gain full privileged access to the domain controller, which is the nerve center of a Microsoft Windows based infrastructure. Following the completion of the exfiltration operations, the attacker prepared the environment for the final phase of the attack. The attacker operated to render all company data saved on the various network attached storage systems completely unreadable and inaccessible, as well as impermissible to restore, with the aim of forcing the victims to pay the ransom to get their data back, the researchers added the origins of the Ransom Hub group, Its offensive operations and its overlapping characteristics with other groups confirm the existence of a still active cybercrime ecosystem. This environment thrives on the sharing, reusing and rebranding of tools and source code, fueling a robust underground market where high profile victims, infamous groups and Substantial sums of money play central roles. Ransomware as a service, affiliates are incentivized with an 88.0percent share of ransom proceeds. Yeah, that was always the thing that, from the first moment this appeared, Leo, you and I noted that that's so smart that the, that the affiliates that are doing essentially the upfront work of, of getting into people's networks and creating, you know, opening those doors, be they front or back, that, you know, they get 80% of the proceeds. That's just, dare I say, smart business.

Leo Laporte

They take a smaller cut than Apple does. You know, they, oh, we're only going to take 20%. But you know, if you got a thousand affiliates, that adds up.

Steve Gibson

Yeah. So after originally being saturated in ransomware stories, you know, I've been actively avoiding them since there hasn't really been that much new to report, except just incident after incident after incident. Yeah, yeah. Law enforcement has successfully tracked down when they've been like really motivated by the big embarrassing breaches, tracked down and stomped out many of the larger and highest profile groups. But exactly as was predicted, any members who managed to escape law enforcement sweeps or those who were more peripheral to the operations, changed groups, moved, merged into others, or formed new groups. The problem is, as we saw during last week's detailed look into attacks On K through 12 school systems, there's just too much money potentially waiting to be collected from insurers for bad guys to ignore the chance to get some of that. So ransomware in one form or another promises to remain a cybercrime staple for the foreseeable future. It's not going away. It's, you know, it, it. I would argue maybe it became too high profile and learned a lesson from that. All of that shutting down the east coast oil pipeline that roused the giant, and those groups no longer exist today. But it as a source of extortion and revenue through extortion, it's not gone away and it's not going to.

Leo Laporte

You can kind of see why. I mean, not only is it lucrative, it's probably pretty fun to try to find a way to get into these systems. Right? It's like a game.

Steve Gibson

I would always be too afraid. On the other hand, I'm not in Russia aiming at the West.

Leo Laporte

If you're in Belarus, nobody's gonna arrest you, you're safe and you're underemployed. They probably are highly educated. Maybe not. Maybe they're just script kiddies. But a lot of these, I mean.

Steve Gibson

This does show some engineering.

Leo Laporte

It's clever. Yeah.

Steve Gibson

And how many ways are there to socially engineer an attack. I mean, and now you've got GPT making your letters sound really good.

Leo Laporte

That's right. You can no longer look at a phishing attack and say, well, that's clearly phony because of the bad grammar. No, they're perfect. Spelling, grammar, everything.

Steve Gibson

And you can also say, well, you know, this is a company involved in remarketing, you know, flim wizzles and so please write a letter that you know, would induce a flimwizle purchasing agent to, you know, click on this link, I.

Leo Laporte

Think I can write that letter for you. Wow. Wow.

Steve Gibson

Yeah. Here's something I didn't realize was a thing until I learned that Google was beta testing its prevention. There is a class of attack using the acronym toad, which stands for telephone Oriented attack delivery. This forthcoming feature of Android 16 blocks fraudsters from sideloading apps during phone calls. Now, when I read that I thought sideloading apps during phone calls, that's a thing. Anyway, the hacker news explains they wrote Google is working on a new security feature for Android that blocks device owners from changing sensitive settings when, that is to say while a phone call is in progress.

Leo Laporte

Wow.

Steve Gibson

Which they're directed to do by the fake tech support guy.

Leo Laporte

So it's not automated that somebody says, oh, you know, yes.

Steve Gibson

It's like, oh, to do this you have to. Anyway, specifically, they said new in call anti scammer protections include preventing users from turning on settings to install apps from unknown sources and granting accessibility access. The development was first reported by Android authority. Okay, so apparently scammers are as. We could like reverse engineer the attack from this. Right? Scammers are instructing unwitting users to do things during phone calls, such as, I suppose when calling a fake technical support hotline for assistance. You know. The hacker news continues saying users who attempt to do so during phone calls will now be served the message. Quote, scammers often request this type of action during phone call conversations. So it's blocked to protect you. If you are being guided to take this action by someone you don't know, it might be a scam. Furthermore, it blocks users from giving up app access to accessibility over the course of a phone call. The feature is currently live in Android 16 beta 2, which was released last week with this latest addition. The beta, or the idea is to introduce more friction to a tactic that has been commonly abused by malicious actors to deliver malware dubbed telephone oriented attack delivery or toad. Gotta love that acronym. I love that. Yeah, yeah. These approaches involve sending SMS messages to prospective targets and instructing them to call a number by inducing a false sense of urgency. Last year, NCC Group and Finland's National Cybersecurity center disclosed that cybercriminals were distributing dropper apps using a combination of SMS messages to initiate scam calls, followed by phone apps to trick users into installing malware such as Vulture. The development comes after Google expanded restricted settings to cover more permission categories in order to prevent side loaded apps from accessing sensitive data. So Google added protections, and then the bad guys realized, oh, we got to get those to be turned off. So let's get the guy on the phone and explain why. Oh, you need to turn this off just for just a second. I'm just going to, you know, we just need to make a few little changes here in order to solve your problem. So Google has also rolled out the ability to automatically block sideloading of potentially unsafe apps in markets like Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, Singapore, South Africa, Thailand and Vietnam. So anyway, this seems like a very useful feature and I think it's the sort of thing that our phones could obviously very easily do. How often do you actually need? Would you legitimately be fiddling with app access permissions while you're on the phone? I mean, it could even be like, sorry, this is not available while the phone is in use. So, you know, like a deliberate shutdown in the phone's multitasking system.

Leo Laporte

The problem is that sometimes it's legit, right? If you call a help desk at your company and they want you to do this, that's the problem. So all they can really do is.

Steve Gibson

Warn you and say, yeah, and I think this should serve as a reminder of just how effective social engineering attacks remain. You know, as I've often said, most people have no, no idea how any of this stuff works. They're just like, okay, I can turn on. And when a knowledgeable sounding voice at the other end of the phone explains how to fix some made up problem, many people will just follow along. Especially when this is.

Leo Laporte

Especially older people. Right?

Steve Gibson

Yes. And right. And when it's spoken with authority, I mean, Notice how even ChatGPT's voice of authority, it's like, it's seductive. It's like so sure that it's. That it's correct. I loved how it wasn't Andy, it was Alex who was mentioning that he asked about the specs for some router for the. He had like the 16 port version and he asked for the specs for the 8 and the 4. And the 8 exists. There is no four port version, but it just produced four port specification sheet that was beautiful for a completely fictitious router.

Leo Laporte

Confidently wrong is the term you saw. I mean this is such a common problem that Zelle, which is the electronic payment system used by very many banks, Chase just started blocking Zelle payments through social media contacts because there's so many scam social media systems, right? And older people go, oh yeah, I saw this guy a thing on Instagram. And so they're gonna stop it because 50% of fraudulent wire transfers from Zelle originated on social media.

Steve Gibson

Wow.

Leo Laporte

I mean we're sitting ducks out here, Steve. Help us. It's amazing. It's just amazing. Good on Google for doing that. That's the least.

Steve Gibson

I mean again, it makes so much sense. It's a simple thing to do and I'm sure there's a, you know, if you're really sure, then okay. But you know, but for that to come up on your phone, even some old stir is going to go. That didn't occur to me. Ooh. Oh, Sonny, who did you say you were with again?

Leo Laporte

Yeah, yeah, I see that Zell does that now. If you use which I do, it'll warn you. It'll even show you sample spoof messages and things say, you know, this, this happens. You can't. So they're doing, I guess they're really a vector.

Steve Gibson

Let's take a break and we're going to talk about Texas versus Deep Seek.

Leo Laporte

Oh, okay. That should be, that'll be, that'll be interesting. I actually, this is great. All of our sponsors are very timely. Steve, I don't know if you've noticed that. I think it's too bad that individual users, home users, can't use Zero Trust because that would solve a lot of this. That ransomware you just talked about, the lateral movement using VPNs to exfiltrate data, all of that just was be stopped cold by Zero Trust. The problem. Of course, I think for a lot of companies the Zero Trust is a hard thing to implement. Perhaps, you know, it's a new idea for you. Our show. This portion of our show is brought to you by Threat Locker, which is absolutely just kind of the premier example of a company that makes Zero Trust easy and very, very affordable. Harden your security with Threat Locker. You'll never have to worry about zero day exploits. Supply chain attacks worldwide. Big companies like JetBlue Trust threat locker to keep their data and keep their business operations secure and flying high. The whole idea is I really wish people could do this at home. It's taken a proactive Deny by default approach to cybersecurity. We've talked about this on the show. I think Zero Trust started with Google and it really is the single best way to protect your network. With Threat Locker you block every action, every process, every user, unless explicitly authorized by your team. Threat Locker makes it easy, it helps you do it and this is great. Provides a full audit of every action. That's great for compliance, but it's also great for risk management because you know who was doing what, when and where. Threatlockers24.7 US based support team fully supports onboarding and of course beyond. Stop the exploitation of trusted applications within your organization. Keep your business secure, keep it protected from ransomware. Organizations in any industry can benefit from Threat Lockers ring fencing. It isolates critical and trusted applications from unintended uses or weaponizations. It limits attackers lateral movement within the network and by the way, heterogeneous networks too. Threat Locker work doesn't just work for Windows, works for Macs too. And man if go to the website, it is very affordable. You'll get unprecedented visibility and control of your cybersecurity quickly, easily and cost effectively with threat lockers. Zero trust endpoint protection platform. Visit threatlocker.com right now, get a free 30 day trial. You'll see how easy it is to implement and how effective it is to protect. Learn more about how ThreatLocker can help mitigate unknown threats and yes, ensure compliance. That's nice. Threatlocker.com Security starts and finishes at the endpoint. Zero trust done right. Threatlocker.com we thank him so much for supporting security now.

Steve Gibson

And the great analogy is firewall. We used to have a firewall that was open and you would block abuse prone ports. And we switched firewalls universally, block it all, deny default, deny by default, and then selectively open the ports that you need.

Leo Laporte

I think you're responsible to a great degree because if Shields up, you taught people that these ports were open, you showed them that and you explained it very nicely. If you've never used Shields Up. Every time I install a new router I immediately go to Shields up because it explains not only what ports are open, what ports are responding, you know, not necessarily open but closed, but not, you know, hidden.

Steve Gibson

Yep. Not stealth, not stealthed.

Leo Laporte

It's a really good site to learn about that@grc.com Great plug there Steve.

Steve Gibson

Thank you. And I think it's what, 109 million or something uses of Shields Up.

Leo Laporte

Yeah, I think really you get a lot of credit for teaching people about securing their routers Absolutely. Absolutely.

Steve Gibson

All right. With a heading. Because why not? We have the news reported by the Record that Texas is investigating Deep Seek. Of course they are, because why not?

Leo Laporte

It comes from China, which, you know.

Steve Gibson

Yeah, Deep Sea comes from China.

Leo Laporte

It's gotta be bad.

Steve Gibson

What did they do wrong? Well, they embarrassed the US by making a better AI. So we've decided that they probably violated the state's data privacy laws and we need to find out. Says Texas in their reporting, the Record wrote. Attorney General Ken Paxton's office has also requested relevant documents from Google and Apple seeking their analysis in quotes of the inexpensive and open source Deep Seek app and asking what documentation they required from Deep Seek before they made the app publicly available for download on their app stores. Oh, in other words, the Attorney General in Texas has no information of any sort whatsoever. Well, that's obvious, but just think that it's kind of probably a bad idea.

Leo Laporte

Tell us about it. You tell us.

Steve Gibson

Yeah, exactly. That's right. Paxton said in a statement, quote, deep Seek appears to be no more than a proxy for the ccp. Oh, those.

Leo Laporte

A little much.

Steve Gibson

Commies.

Leo Laporte

Yeah.

Steve Gibson

To undermine American AI dominance. And they did it better than we did. We don't like that. And steal the data of our citizens. That's why I'm announcing. Mostly it's the announcement. I'm announcing a thorough investigation and calling on Google and Apple to cooperate immediately by providing all relevant documents related to the Deep Seek app. In other words, their AI is better than ours and we can't have any of that, so we're going to investigate them in order to hopefully find some evidence of some misbehavior somewhere. The Record wrote. Deep Seek. Google and Apple did not immediately respond to requests for comment, and maybe even not, not immediately. On January 28, Paxton banned deep Seek's use on all devices owned by members of his staff due to security concerns and what a press release from his office called the company's blatant allegiance to the ccp, including its willingness to censor any information critical of the Chinese government. Oh, that's right. Because it doesn't have a right to censor information that's critical of China, even though it's from China. This week, New York State and Virginia both blocked the use of Deep Seek on government devices. And on Monday, Representatives Josh Gotheimer, a Democrat from New Jersey, and Darren LaHood, an Illinois Republican, introduced a bipartisan bill that would ban federal workers from using Deep Seek on government devices.

Leo Laporte

Josh Hawley's proposed a bill that would fine anybody a million dollars or as much as 20 years in prison for downloading Deep Seq. You know you can run Deep Seek in the US Explicitly, right? It's just a model people can download. There are a number of places you can run Deep Seek around here. So, sadly, yes, without any access to China, without, you know, completely locally, any.

Steve Gibson

Chinese technology backlash has become predictable with Deep Seek just being the latest example. Since it's exceedingly difficult to prove that China is not using their Deep Seek app, you know, the, the smartphone, the mobile app to monitor the questions, behavior, and who knows what else of US citizens, it appears that we're inevitably heading into a world of increasing mistrust. You know, basically a technology cold war where everyone is going to be trusting, only going to be trusting the hardware, software and firmware produced by their own country. And their close allies, you know, and even close allies are having trouble, as we're seeing with the emerging standoff between the UK and Apple. That this was where we were headed appeared to be clear for years, as tensions between the US and both China and Russia have been gradually mounting. Everyone listening to this podcast has heard me wonder on many prior occasions how it is that China and Russia were still using Microsoft's Windows, an operating system that could so easily be hiding pro Western capabilities. As we know, both of those countries have felt similarly and are now working to remove Windows from their critical enterprises and, and industries. And as we know, that's a feat that's much more easily ordered than accomplished. It's sad, Leo, but it's the direction we're headed in. Well, he's sort of having a technological detente for a while.

Leo Laporte

The reason this was embarrassing the US is because this was an open model.

Steve Gibson

Yes.

Leo Laporte

And so you can run deepseek v3, here it is on together AI. But there are plenty of places you can do this running completely on United States servers. By the way, you can ask it about Tiananmen Square because it doesn't have that lock. It will respond, you don't need the app. And this is great. It's good. It was open source. Even Sam Altman said, yeah, we might be on the wrong side of history with this.

Steve Gibson

Yeah, well, I mean, they are. This was a breakthrough. This was without a question. It caught a lot of people flat footed in the morning. More traditional, I mean, and I say traditional with air quotes because, yeah, that's a month ago was traditional.

Leo Laporte

Let me just quickly query this Deep Seq running it Together AI to see if, if it will tell me about this famous photo of a man standing in Front of a tank. Oh yeah, absolutely.

Steve Gibson

Uh huh.

Leo Laporte

Tiananmen Square protest, 1989 Tank Man. This is deep Seek the so called censored Chinese AI. Never mind. Yeah, somebody should call Ken Paxton and show him this.

Steve Gibson

Well, and I would imagine some money will surface a non Chinese deep Seq based US app.

Leo Laporte

Well that's what this is. It's not an app but it's a website together but an app because it.

Steve Gibson

Is the app that, that, that Texas is upset about.

Leo Laporte

Yeah, well, yeah, I took the app off. I don't need the app.

Steve Gibson

Right, right, right. But I would imagine somebody will, will, will do an app that is based on domestic hardware running, you know, deepsea.

Leo Laporte

You could right now.

Steve Gibson

Great model.

Leo Laporte

Yeah, yeah.

Steve Gibson

Okay. I wanted to note that eight days ago, as I'm sure you covered on MacBreak, Apple announced that they had updated all of their operating systems to fix a bug that they said may. And of course I always say may. May have been used in quote, extremely sophisticated attacks against specific targeted individuals. Which is to say we know that it was, but we don't. We're not going to say that. Back when it was introduced we covered the introduction of so called restricted mode. It further locks down Apple devices wherever it's enabled. On the one hand it makes those devices much less fun to use because they can't do as much. But that's the whole point, right? With more capability comes more opportunities for vulnerability. We once talked about how it's actually like, it's not a multiplicative, it's a squaring function because anything you add that interacts with everything else has all those new interaction possibilities. It's not just twice as much, it's the square of number of interactions. So in return, however, for making the devices much less fun to use, it also makes them far less easy to compromise. And I strongly endorse the addition of this option at the time, since we still haven't figured out how to make highly complex products 100% secure and bulletproof. So this allows an individual who is a high, you know, a highly likely to be targeted target of interest person to make their phone less functional in return for making it much less easy to compromise the flaw that was fixed. This flaw that Apple just fixed eight days ago, which is now fixed, would have, and presumably did at the time allow sophisticated attackers to employ the flaw in an attack chain. Its role in the chain was to disable restricted mode, which should not have been possible. That should have been a UI thing only on a locked device. So the phone was locked Restricted mode was enabled with this flaw as part of the attack chain. Restricted mode would be turned off even though the phone was locked. The vulnerability as described could have been used to enable unlocking technology similar to that that's in cellebrite's products, which, as we know, allows snoopers to break in devices when they have physical access to them. And what I loved is that Apple's restricted mode also helps with this by proactively blocking data access to iPhones and iPads when they've been locked for more than an hour. So after the phone's been locked for more than an hour, the physical access through the external port is restricted, so that you know, you can't plug it in and have it be a drive or connect it to your car or whatever, you know. Very cool. The vulnerability in Apple's iOS and iPad OS affects iPhone XS and later. IPad Pro 13 inch, iPad Pro 12.9 inch third generation and later. IPad Pro 11 inch, first generation and later. IPad Air third generation and later. IPad seventh generation and later and iPad Mini fifth generation and later, said Apple. So across the board that's been fixed. And you know, just a good thing that they're doing that staying on top of this. In other news, we have Leo James Howells. That's the poor guy who lost his hard drive.

Leo Laporte

I know, I know that name.

Steve Gibson

Yeah. Containing the only copy of the 51 character private key which he needs to unlock his cryptocurrency wallet.

Leo Laporte

Sounds familiar. His wife threw it out, by the way. Did you see that?

Steve Gibson

Yeah. The wallet contains 8,000. Yes, you heard me right. 8,000 bitcoins.

Leo Laporte

$800 million.

Steve Gibson

$800 million, give or take, with bitcoin. Bitcoin now worth around $100,000 each. Ouch. That's gotta hurt. James is certain that the drive was mistakenly thrown out with the trash and is now lurking somewhere in a landfill in Newport City, Wales. Last month, he lost a court battle with the Newport City Council in Wales, which may have been his last shot at excavating the dump. Since soon after the city council revealed that it would be closing the landfill and building a large solar farm on the site, he offered to purchase the landfill. He was going to get investors who would all be willing to gamble that he was going to be able to find the drive somewhere. And so they would invest in subsidizing his purchase of the entire landfill property so that he could go through it gunky bit by gunky bit. I mean, we're talking old bananas. And to find the hard drive and then you know, recover his $800 million. Anyway, they, the city council said no, we're not going to offer it for sale. We're going to set up a solar farm there because we want to replace our fleet of diesel garbage trucks with EVs to help the city transform itself into a renewable energy, lower carbon footprint environment. So sorry about that. Yeah, the opportunity is closing. You know, you're not unless you're going to tunnel underneath the solar farm. I don't think they're going to allow them to do that. So. Ouch. Looks like that chapter is closing. And of course, stories abound. Right. Of people who. Well, and my own and yours, Leo, who didn't take those early bitcoin wins very seriously.

Leo Laporte

Somebody we know very well bought. I think he said three Bitcoin for $6 back in the day. It was right around when we were talking about it. He heard the show. He has kept them all this time.

Steve Gibson

Nice.

Leo Laporte

And he is about to buy a car. He calls it his $6 car.

Steve Gibson

Nice.

Leo Laporte

It will be a nice car.

Steve Gibson

Nice.

Leo Laporte

But you have to keep it. That's the problem. When it gets to 100 bucks, you might be tempted. When it gets to 150.

Steve Gibson

Well, I remember that spike at 17,000 that sent me on my first complete check of every hard drive, every drive image, everything that I had, where it might have been around. And yes, had I found it, I would have said woohoo.

Leo Laporte

You would have sold it, right?

Steve Gibson

Absolutely. Absolutely.

Leo Laporte

And now you'd be kicking yourself. I'm just figuring I'm going to hold on to that wallet until quantum computers can crack the RSA encryption and then I'll have some money.

Steve Gibson

That'd be cool.

Leo Laporte

Might be worth millions by then.

Steve Gibson

It absolutely could. Because as I covered, you were on vacation when Tom and I did the bitcoin.

Leo Laporte

The intro to bitcoin.

Steve Gibson

Yeah, the whole podcast was on the topic of the bitcoin blockchain and I explained how it worked and how the number of bitcoins were asymptotically approaching a limit. It was designed in scarcity, which is the reason we've seen what's happened happen. I should have taken my own advice.

Leo Laporte

Oh, Steve.

Steve Gibson

I've been waiting to gain sufficient experience with a new to me sci fi author before mentioning my recent science fiction reading enjoyment. As I mentioned at the top of the show, I don't remember if it was before we began recording or not, I took ChatGPT up on its advice about other authors who were similar to those whose novels I previously enjoyed more often. Than, you know, sometimes. I've enjoyed them more often than once. As we recall, ChatGPT not only produced a list of recommendations, but among those were others of my favorites that I had never mentioned or like didn't ask in that. In that proposal to ChatGPT and, you know, being cautiously suspicious of AI, we wondered whether ChatGPT might have previously ingested my own published sci fi reading list or even the transcripts of this podcast. Who knows how it came up, but it did suggest others that, you know, I had already read. But in any event, I obtained a handful of new author recommendations since I had seen Neil Asher's name around a lot. I purchased a copy of Gridlinked, and I do mean purchased. It wasn't free as part of the. It wasn't offered as part of the Kindle Unlimited plan, which I subscribe to. Everything else I've been reading recently has been, but given that inflation has jacked the price of Leo, a five shot Starbucks Venti Latte is 9.50.

Leo Laporte

Are there eggs in it?

Steve Gibson

No, but that. But it was the. It's the shots. Somehow espresso got very expensive.

Leo Laporte

We ate at the Waffle House in Tucson. There's a 50 cent per egg surcharge, so everything's more expensive these days.

Steve Gibson

Wow. Anyway, paying $7 for a novel, that will give me weeks of true enjoyment. It works for me.

Leo Laporte

And you're supporting the arts, you're supporting creation. Yes, that's.

Steve Gibson

Yes, thank you. That's buy stuff too. Yeah, you know, but the novel's got to be good, you know, remember that. You know that awful thing that I tried writing or try. Tried reading, where the first sentence was the starship Zigawatt dropped into orbit immediately.

Leo Laporte

I dropped those immediately.

Steve Gibson

No, no, not, not Zigawatt.

Leo Laporte

Not Zigawatt. No.

Steve Gibson

I started with Grid Linked because it was Asher's early work and I prefer to start at the beginning of an author's work. But if the critics on Reddit know what they're talking about, this five novel series, the series of which Grid Linked is the first, pales in comparison to Asher's later work. Someone who finished Gridlink asked on Reddit whether the other four in the series were worth reading, and someone replied, quote, I think he was finding his feet in the polity universe with Grid LinkedIn. They said his following works are miles ahead. Keep at it, you won't be disappointed. Well, that sounds great to me because I'm already not disappointed. You know, I've mentioned that I seem to be quite sensitive to an author's ability to write. You know, it's not just the plot and the characters. For me they need to be able to express themselves. And this Neil Asher really can. Is a little disturbing that. That Brits spell ass as in someone's rear. Yeah, it's like, that's okay. That's like. Do you actually print? Yeah. Do you say arse?

Leo Laporte

Yeah, they say ours.

Steve Gibson

You do?

Leo Laporte

I don't think it's a different spelling. I think it's just a different way of saying.

Steve Gibson

No, it is A R S E.

Leo Laporte

Yeah, yeah, no, I know, but I mean I think it's just another. I don't think it replaces. Well, I don't know.

Steve Gibson

We don't need to deep into this anyway. Goodreads described gridlink by writing Grid Linked is a science fiction adventure in the classic fast paced, action packed tradition of Harry Harrison and Paul Anderson. With a dash of cyberpunk and a splash of Ian Fleming added to spice the mix. Ian Cormac is a legendary Earth central security agent, the James Bond of a wealthy future where runcibles, matter Transmitters controlled by AIs allow interstellar travel in the blink of an eye throughout the settled worlds of the polity. Unfortunately, Cormac is nearly burnt out having been grid linked to the AI net for so long that his humanity has begun to drain away. He has to take the cold turkey cure and shake his addiction to having his brain on the net. Okay, now it's a bit freaky that Neil Asher wrote about net addiction and the tendency to lose one's humanity through being over connected back in 2001, 24 years ago when this book was first published. So anyway, I'm not going to say much more other than I'm now 67% through the second of the five book series and I am really enjoying them. And in fact I've been reading them. I've been reading the second book since I saw that sort of like, you know, pooping on his work stuff over on Reddit and being like being willing to be more critical of it. I really like it. I'm sorry. I like it. So what's really interesting is that this particular Polity universe is run by dispassionate AIs because humans cannot be trusted to wield such power. Basically the people said okay, you know, sorry, you know, politics corrupts. So we're just going to turn this over to AIs because you know, we can't be trusted with it. Within the polity, life is sweet and orderly with no crime and everyone has something interesting to do, you know. So what it reminded me of is Star Trek's Federation of Planets, remember, like where people there isn't even any currency anymore. You just, you know, do things that are good. So of course there are those who chafe under the bit of authority and who prefer the freedom of that, you know, is anarchy. So there's plenty of adventure and war and opportunity to be found out on the fringe, beyond the control of the polity. Anyway, mostly Neil Asher can write, and I think he's a terrific storyteller. I will definitely keep paying $7 for each for the next three books. And given the Reddit comments about Neil's follow on works, and there's like 15 of them at least. I mean, he's he's been very prolific because he started writing in 2001 and he's been going steadily, you know, I'm going to be very glad that I took Chat GPT up on its suggestions for similar authors, and I have one piece of listener feedback because I had so much that I wanted to share about the Chrome web store Bob McNaughton he said this might be obvious, but surely if you configure DNS over TLS in your browser, you will miss out on the caching performed by any of the more local DNS resolvers, such as the one in your router. Wouldn't it be better to use DNS over TLS in the router, thus hiding your DNS queries from your isp, but getting the advantage of cached lookups other people on the same LAN have performed? So Bob is 100% correct. Of course, in all of our discussion I had not mentioned that if a user configures their local web browser to use any form of encrypted DNS service, which seems to be the way things are evolving some loss of local caching, for example, by the local router, if it does DNS caching, although a lot of them don't, would be lost. The flip side of this is that the emerging DNS benchmark code which I'm working on, continues to show that once a TCP and TLS connection have been negotiated and brought up, which browsers typically do once per page, the individual flurry of DNS lookups being offered by the Internet's major providers over those encrypted TLS connections are actually being resolved faster by them than, for example, by my own ISPs local resolvers. So as we. I mean, it's like it's still faster to do it as we noted last week this might be due to the fact that encrypted DNS servers are still lightly loaded because the use of DNS/TLs or DNS/ HTTPs is still the exception by far more than the rule. But I'm going to be very interested to learn what everyone else discovers once the benchmark can start to be more widely used. So. Okay Leo, our last break and then we're going to dig into the really information packed posting by somebody who knows the Chrome web store inside and out.

Leo Laporte

Okay, I'm excited. Well, no, that would be a lie. I am anticipating with great interest. How about that our show today. I mean, it's good stuff. I'm not saying it's bad stuff, I'm just. I'm not like jumping up and down with excitement for it. I just want to hear it.

Steve Gibson

I get it. Thank you Leo for clarifying that.

Leo Laporte

Our show today, brought to you by Bit Warden, the trusted leader in passwords, secrets and passkey management. With over 10 million users. This really makes me happy. I've been a Bit Warden fan since they were a lot smaller. Open source project deserves all the success it gets. 10 million users, 180 countries, 50,000 business customers worldwide. I bet you didn't know that. I think people don't realize Bitwarden is a great enterprise. In fact, BITWARDEN has entered 2025 as the essential security solution for organizations of all sizes. Consistently ranked number one in user satisfaction by G2. Recognized as a leader in Software Review's data quadrant, Bitwarden continues to protect businesses as well as individuals worldwide. And part of it is because Bitwarden pays a lot of attention to the features that businesses want, but also they pay attention to US users. For instance, they just announced the general availability of bit warden's apps for iOS and Android. You may say, well, wait a minute, they've been there forever. Yes, but this is their first native mobile applications. That means faster load times, improved overall app functionality, and of course they are exactly matched to the platform iOS and Android. So they're much more intuitive user experience. It really looked nice. Plus the deeper hardware integration, especially on iOS, means that you've got biometric authentication, multi device support, so it's actually more secure. Bitwarden has strengthened its password manager with ssh. Now, now this is a big issue. How many times maybe you've done it? I think I have. Have you accidentally committed your SSH private keys, let's say, to a GitHub repository? 90% of authorized SSH keys in large organizations actually go Unused and how often are they accidentally shared? So now there is SSH key generation and management right inside Bitwarden. So you've got centralized cryptographic key management, enabling secure storage import and yes, generation of SSH keys directly within the Bitwarden vault. I actually have in my notion a long list of the steps to take to generate new SSH keys. Where to put the private keys, how to protect the directory, where to upload the public keys, and all of that. Now it's all handled by Bitwarden, which really enhances workflows for developers, IT professionals. Anybody uses ssh. I think that what sets Bitwarden apart is it's prioritizing simplicity because they know you're not going to use a security solution if it's hard or unintuitive, right? Bitwarden setup only takes a few minutes. If you migrate at work, you'll see they support importing from most password management solutions or even as an individual. And of course, as always, Bitwarden's source code is open source, anyone can inspect it and it's regularly audited by third party experts and they publish the full report. So absolute transparency, your business deserves a cost effective solution for enhanced online security. So see for yourself. Get started today with Bit Warden's free trial of a teams or enterprise plan. But you know, I'm an individual, I use it as an individual. And I'm sure you're all using some sort of password manager. Consider Bitwarden. And then if you've got friends and family, we all do, who say, oh, I don't need a password manager, I'm just going to use my mother's maiden name and my dog's birthday, get them to use Bit Warden. You can tell them it's free because it's open source, free forever across every device. Unlimited passwords, passkeys, secrets, everything free for individuals. Bitwarden.com TWIT and if you're a super geek, you'll be glad to know you can even host your own Bitwarden vault. Isn't it individual bitwarden.com TWIT it's a really great solution. We're very proud to have them as a sponsor for so many years. All right, Steve. I am, I am now excited.

Steve Gibson

I'm excited, intrigued, intrigued, interested.

Leo Laporte

I am thrilled, thrilled, I tell you, through this.

Steve Gibson

Yes. Okay. As I said, Chrome Web Store is a mess is the exact title someone who should know gave to a recent blog posting of his a few weeks ago, Wladimir Pallant. His posting caught my eye both Due to his pedigree and due to the importance of his message, anyone who's been following this podcast for more than a few years could probably reduce the number of major security trouble sources to a high single digit. And among those most important would be the security of web browser extensions. Because web browsers are the way we interface to the Internet and the rest of the world so much. You know, extensions to the basic functionality of our web browsers have been with us since nearly the beginning and 20 years ago, back when there was much less to do on the Internet, the security of an add on was much less critically important. In fact, the very first extensions didn't have any security. Mozilla created an extension mechanism and you really needed to trust the source of that code completely. But every year since then, more and more of our lives have moved online. This has meant that the overall security and privacy offered by the web browsers we use to interact with the Internet has become increasingly important. And no one who has listened to more than a couple of this podcast episodes could entertain any doubt that, disheartening though it might be, the world is apparently filled with an astonishing number of total strangers who would hurt us without a second thought to obtain any advantage. Several times in recent weeks I focused our attention upon the security and privacy issues surrounding web browser add ons. Sadly, there are many. So when I saw that Wladimir Pallant had taken the time to push back a bit from the entrails of specific add ons to survey the larger picture, I knew that was something I wanted to share. Earlier, I mentioned Vladimir's pedigree, but his name may not ring any bells right off. So here's how he explains himself on his blog site. He writes My name is Vladimir Pallant and I'm mostly blogging about security topics these days. You will often see me taking apart browser extensions because I've been developing those myself since 2003. One particularly well known project of mine is AdBlock plus, which I originally developed. Eventually I co founded IO, a company to take care of this project. I'm still developing the browser extension PfP Pain Free Passwords, while my other extensions have become obsolete over time. My writing is meant to help people learn, so I aim to provide information on both how vulnerabilities can be found and how how they can be prevented in your own code. I won't merely discuss security issues, but also try to draw generic conclusions from those and give recommendations. Despite researching security topics since at least 2007, I still do it as a hobby rather than my job. I experimented with earning money via bug bounty programs, which resulted in acceptable income. However, other aspects eventually turned me away from bug bounties. In particular, I want to write about my research and don't want to be prevented from it by a company taking years to fix an issue. Okay? In other words, he was becoming annoyed that after finding and reporting some problem and being paid for his responsible disclosure, the bug bounty agreement would require that he never reveal anything about the problem until after it had been fixed. This differs, of course, from unpaid security researchers who are able to set 90 day fix it before we publish it deadlines. So Vladimir was becoming annoyed that bugs were being purchased and he was being effectively gagged when he wanted to be able to document the problems and use them as illustrative teaching examples. In any event, here's a highly technical developer who created one of the earliest and most popular, popular and successful privacy extensions, who has been at this for more than 22 years. So when this guy titles his blog posting Chrome Web Store is a mess, I want to understand why he thinks so, Vladimir wrote. Let's make one thing clear first. I'm not singling out Google's handling of problematic and malicious browser extensions because it is worse than Microsoft's, for example. No, Microsoft is probably even worse, but I never bothered finding out. That's because Microsoft Edge doesn't matter. Its market share is too small. Google Chrome, on the other hand, is used by around 90% 90 90% of you users worldwide, and one would expect Google to take their responsibility to protect its users very seriously, right? After all, browser extensions are one selling point of Google Chrome, so certainly Google would make sure they're safe. Unfortunately, he writes, my experience reporting numerous malicious or otherwise problematic browser extensions speaks otherwise. Google appears to take the least effort required approach towards moderating Chrome Web Store. Their attempts to automate all things moderation do little to deter malicious actors, all while creating considerable issues for authors of legitimate add ons. Even when reports reach Google's human moderation team, the actions taken are inconsistent, and Google generally shies away from taking decisive actions against established businesses. As a result, for a decade my recommendation for Chrome users has been to stay away from Chrome Web Store if possible. Again, he writes. As a result, for a decade my recommendation for Chrome users has been to stay away from Chrome Web Store if possible, he said. Whenever extensions are absolutely necessary, it should be known who is developing them, why, and how the development is being funded. Just installing some extension from Chrome Web Store, including those recommended by Google as we'll see or featured is very likely to result in your browsing data being sold or worse. Google employees will certainly disagree with me. Sadly, much of it is organizational blindness. I'm certain, he says, that Google meant well and that they did many innovative things to make it all work. But looking at it from the outside, it's the result that matters. And for the end users, the result is a huge and rather dangerous mess. Okay, so some recent examples, he said. Five years ago I discovered that Avast browser extensions were spying on their users. That was he who discovered this. Remember we covered that at the time. It was a big deal. It's this guy who made the discovery, which may be why his name is at least some familiar to some of us, he continues. Mozilla and Opera disabled the extension that is Avast. The Avast browser extension listings immediately, he says, after I reported it to them. Google, on the other hand, took two weeks where they supposedly discussed their policies internally. The result of that discussion was eventually their no Surprises policy, which says building and maintaining user trust in Chrome Web Store is paramount, which means we set a high bar for developer transparency. All functionalities of extensions should be clearly disclosed to the user with no surprises. This means we will remove extensions which appear to deceive or mislead users, enable dishonest behavior, or utilize clickbaity functionality to artificially grow their distribution. Okay, so he says. So when dishonest behavior from extensions is reported today, Google should act immediately and decisively, right? Let's take a look at two examples that came up in the last few months. In October, he says. In October I wrote about the Reforest extension deceiving its users. I could conclusively prove that Colibri Hero, the company behind Reforest, deceives their users on the number of trees they supposedly plant, incentivizing users into installing with empty promises. In fact, they're a strong indication that the company never even donated for planting trees beyond a rather modest one time donation. Google got my report and dealt with it. What kind of action did they take? That's a very good question that Google won't answer. But Reforest is still available from Chrome Web Store, it is still featured, and it still advertises the very same completely made up numbers of trees they supposedly plant. Google even advertises for the extension, listing it in the Editor's Picks extensions collection. Probably the reason why it gained some users since my report. So much for being honest. For comparison, Reforest used to be available from Firefox add ons as well, but was already removed when I started my investigation. Opera removed the extension from their add on store within hours of my report. But maybe that issue wasn't serious enough after all, there's no harm done to users if the company is simply pocketing the money they claim to spend on a good cause. So Also in October I wrote about the Karma extension spying on users. Users are not being notified about their browsing data being collected and sold, except for a note buried in their privacy policy. Certainly that's identical to the Avast case mentioned before, and the extension needs to be taken down to protect users. Again, Google got my report and dealt with it, and again I failed to see any result of their action. The Carma extension remains available on Chrome Web Store unchanged. It will still notify their server about every web page its users visit. The users still aren't informed about this. Yet their Chrome Web Store page continues to claim this developer declares that your data is not being sold to third parties outside of the approved use cases, a statement contradicted by the extension's own privacy policy. The extension appears to have lost its featured badge at some point, but now that's back note of course, Karma isn't the only data broker that Google tolerates in Chrome Web Store. I published a guest article today by a researcher who didn't want to disclose their identity, explaining their experience with BI Science Ltd. A company misleading millions of extension users to collect and sell their browsing data. This post also explains how Google's approved use cases effectively allow pretty much any abuse of users data. Neither Reforest nor Karma were isolated instances. Both recruited or purchased other browser extensions as well. These other browser extensions were turned outright malicious with Stell's functionality to perform affiliate fraud and or collect users browsing history. Google's reaction was very inconsistent here. While most extensions affiliated with Karma were removed from Chrome Web Store, the extension with the highest user numbers and performing affiliate fraud without telling their users was allowed to remain for some reason with reforest. Most affiliate extensions were removed or stopped using their Impact Hero SDK. Yet when I checked more than two months after my report, two extensions from my original list still appeared to include that after that hidden affiliate fraud functionality, and I found seven new ones that Google apparently didn't notice. As for the reporting process, you may be wondering if I reported these issues, why do I have to guess what Google did in response to my reports? Keeping developers who report in the dark is Google's official policy and he he quotes a pop up that he received that says hello developer, thank you again for reporting these items. Our team is looking into the items and will take action accordingly. Please refer to the possible enforcement actions and note that we are unable to comment on the status of individual items. Thank you for your contributions to the extensions ecosystem. Sincerely, Chrome Web Store Developer Support in other words, you you explicitly receive no feedback. As somebody who reports a problem to the Chrome Web Store, he says this is the same response I received in November after pointing out the inconsistent treatment of the extensions. A month later, the state of affairs was still that some malicious extensions got removed while other extensions with identical functionality were available for users to install, and I have no idea why that is. I've heard before that Google employees are not allowed to discuss enforcement actions, and your guess is as good as mine as to whom this policy is supposed to protect. Supposedly the idea of not commenting on policy enforcement actions is hiding the internal decision making process process from bad actors so that they don't know how to game the process. If that's the theory, however, it isn't working. In this particular case, the bad actors got some feedback, be it through their extensions being removed or through, you know, due to adjustments demanded by Google. It's only me, the reporter of these issues, who is left guessing. But this is a positive development. I've received a confirmation that both these reports are being worked on. This is more than I usually get from Google, which is silence and typically also no visible action either. At least until reports start circulating in media publications forcing Google to then act on it. But let's take a step back and ask ourselves, how does one report Chrome Web Store policy violations? Given how much Google emphasizes their policies? There should be an obvious way. In fact, there's a support document for reporting issues and when I started asking around, even Google employees would direct me to it. And he shows a bunch of radio buttons on this where the radio buttons are did not like the content, not trustworthy, not what I was looking for, felt hostile, content was disturbing and felt suspicious. And then it's highlighted with if you find something in Chrome Web Store that violates the Chrome Web Store terms of service or trademark or copied infringement, let us know. And then those were the radio button options. But Wladimir notes, he says this doesn't seem like the place to report policy violations. Even felt suspicious isn't right for an issue you can prove is a violation, he says. And unsurprisingly, after choosing this option, Google just responds with your abruce report has been submitted successfully. No way to provide any details, no asking for my contact details in Case they have questions, no context whatsoever, merely felt suspicious. This is probably fed to some algorithm somewhere which might result in I don't know what actually, judging by malicious extensions where users have been vocally complaining often for years, nothing whatsoever results. This isn't the way he says, you know, to do this right? And he says, well, there's another option listed in the document. If you think an item in the, in the Chrome Web Store violates a copyright or trademark, fill out this form. And he says, yes, Google seems to care about copyright and trademark violations, but a policy violation is neither. If we try the form, that is try to use this this form. Nevertheless, it gives us a promising selection. We have two options policy meaning a non legal reason to report content or legal reasons to report content. He says, finally, yes, policy reasons are exactly what we're after. Let's click that. And here comes another choice and there's only one. It's under select the reason you wish to report content and it has a radio button. Child sexual abuse material. Report images or videos involving a child under 18 engaging in sexually explicit behavior. He says, well, that's really the only option offered and I have questions. At the very least those are in what jurisdiction is child sexual abuse material a non legal reason to report content? And since when is that the only policy that Chrome Web Store has? He says we can go back and try legal reasons to report content, of course, but the options available are really legal issues, intellectual properties, court orders, or violations of hate speech law. So that's another dead end. He says. It took me a lot of asking around to learn that the real and well hidden way to report Chrome Web Store policy violations is Web Is Chrome Web Store one stop support? He says. I mean, I get it that Google must be getting lots of nonsense reports and they probably want to limit that flood that that flood somehow. But making legitimate reports almost impossible can't really be the way. In 2019, Google launched the Developer Data Protection Reward Program. DDPRP Data Developer Data Protection Reward program meant to address privacy violations in Chrome extensions. Its participation conditions were rather narrow for my taste. Pretty much no issue would qualify for the program, but at least it was a reliable way to report issues, which might even get forwarded internally. Unfortunately, Google discontinued this program in August of 2024. It's not that I'm very convinced of DDPRP's performance. I've used that program twice. First time I reported Keepa's data exfiltration. DDPRP paid me an award for the report, but from what I could tell, allowed the extension to continue unchanged. The second report was about the malicious PDF toolbox extension. The report was deemed out of scope for the program, but forwarded internally. The extension was then removed quickly, but that might have been due to the media coverage it received. The benefit of the program was that it was a documented way of removing reaching a human being at Google who would look at a problematic extension. Now it's gone. And what about the Web Store and their spam issue? He says in theory there should be no spam on Crow on Chrome Web Store. The policy is quite clear on that quote. We don't allow any developer related developer accounts or their affiliates to submit multiple extensions that provide duplicate experiences or functionality on the Chrome Web Store. That's what Vladimir considers spam spamming the store with essential with essentially identical apps, he says. Unfortunately, this policy's enforcement is lax at best. Back In June of 2023, I wrote about a malicious cluster of Chrome extensions. Yeah, he says. I listed 108 extensions belonging to a single cluster, pointing out their spamming in particular. Thirteen were almost identical video downloaders, nine almost identical volume boosters, nine almost identical translation extensions, five almost identical screen recorders. Definitely not providing individual value, he said. I've also documented the outright malicious extensions in this cluster, pointing out that other extensions are likely to turn malicious as well once they have sufficient user counts. And how did Google respond? The malicious extensions have been removed? Yes, but other than that, 96 extensions from my original list remained active in January 2025 and there were of course more extensions than my original report did not list. For whatever reason, Google chose not to enforce their anti spam policy against them. And that's merely one example. My most recent blog post documented 920 extensions using tricks to spam Chrome Web Store, most of them belonging to a few large extension clusters. As it turned out, Google was made aware of this particular trick a year ago, before my blog post already. And again, for some reason Google chose not to act. What about extension reviews? Can they be trusted? When you search for extensions in Chrome Web Store, many results will likely come from one of the spam clusters. But the choice to install a particular extension is typically based on reviews. Can at least these reviews be trusted? On the topic of moderation of reviews, Google says Google does not verify the authenticity of reviews and ratings, but reviews that violate our terms of service will be removed. And the important part of the terms of service, he writes, is your reviews should reflect the experience you've had with the content or service you're reviewing. Do not post fake or inaccurate reviews the same review multiple times, reviews for the same content from multiple accounts reviews to mislead other users or misleading manipulate the rating or reviews on behalf of others. Do not misrepresent your identity or your affiliation to the content you're reviewing now. You may be wondering how well these rules are being enforced. The obviously fake review on the Karma extension is still there three months after being posted. Not that it matters with their continuous stream of incoming five star reviews, he says. A month ago and I reported an extension to Google that despite having merely 10,000 users, received 19 five star reviews on a single day in September and only a single negative review since then, he says. I pointed out that it is a consistent pattern across all extensions of this account. For example, another extension with only 33, 030 users received nine 5 star reviews on the same day. It really doesn't get any more obvious than that. Yet all these reviews are still online. I actually, for what it's worth, have a picture of them. Sophia franklin September 29, 20245 stars solved all my proxy switching issues. Fast, reliable and free. Robert anthony same day, September 19, 20245 stars very user friendly and efficient for managing proxy profiles. Liz Berry Works like a charm. A must have for anyone using multiple proxies. Godwin Max no more digging through settings. This extension makes proxy switching so much easier. 5 stars Also Anthony Brookley 5 stars September 19th all of these the same day. Excellent proxy tool flexibility. Perfect for my needs. Going Kate five stars. Smooth performance and no issues switching between different proxies. Daty Max makes proxy management hassle free, simple and effective. Wow. So I I have a lot to say in reaction to what Wladimir is observing and reporting, but I'm holding. I'm holding that for a minute until he's finished. Still, I just. I wanted to note and I get I hear you laughing and chuckling Leo in the background. I understand. I want to note that the automated cleanup of clearly bogus reviews would be trivial to implement. Vladimir is made suspicious when an extension with 30 users acquires nine five star reviews all on the same day. Right? One wonders whether they were all posted from different accounts at the same IP address. Google would know, but even if not, the fraudulent pattern is glaringly obvious. And remember that it's more than likely that this conduct is also reflected in the operation of the extension itself. Someone who's unwilling to honestly earn a reputation for their extension is more likely to have ulterior motives for creating it in the first place. So if Google were to automate extension review cleanup, which again would be trivial for them to do. They would be reducing the damage being done through the fraudulent over promotion of less savory extensions because no trivial cleanup is happening. We need to wonder whether review spamming may be something Google doesn't mind despite the policy publicly posted, you know, to the contrary, you know, and they don't mind it even if it's actually clearly hurting Chrome's users because it's the spammy reviews that are going to have the unsavory actions against their users selling their their browsing histories, Wladimir says. And it isn't only fake reviews. The reforest extension incentivizes reviews, which violates Google's anti semiconductor spam policy, which says developers must not attempt to manipulate the placement of any extensions in the Chrome Web Store. This includes, but is not limited to inflating product ratings, reviews or install counts by legitimate by illegitimate means such as fraudulent or incentivized downloads, reviews and ratings, he Sundays. It's been three months and they're still allowed to continue. The extension gets a massive amount of overwhelmingly positive reviews, users get their fake trees and everybody is happy. Well, all other than the people trying to make sense of this meaningless of these meaningless reviews. With reviews being so easy to game, it looks like lots of extensions are doing it. Sometimes it shows a clearly inflated review count, sometimes it's the overwhelmingly positive or meaning meaningless content. At this point, any user ratings with the average above four stars is likely to have been messed with. And he said, what about featured extensions? He said, but at least the Featured badge is meaningful, right? It certainly sounds like somebody at Google reviewed the extension and considered it worthy of carrying the Featured badge. At least Google's announcement indeed suggests a manual review. They say Google team members manually evaluate each extension before it receives the badge, paying special attention to the following we got two points. First, adherence to Chrome Web Store's best practices guidelines, including providing an enjoyable and intuitive experience using the latest platform APIs and respecting the privacy of end users and second, a store listing page that is clear and helpful for users with quality images and a detailed description, he says. Yet, looking through 920 spammy extensions I reported recently, most of them carry the Featured Badge. Yes, even the endless copies of video downloaders, volume boosters, AI assistants, translators and such. If there's an actual manual review of these extensions, as Google claims, it cannot be thorough. To provide a more tangible example, the Chrome Web store currently has BlazeVPN Safum S A F U M Saphem VPN and Snap VPN extensions, all carrying the Featured Badge. These extensions, along with Ishan Ishaan Ishan vpn, which has barely any users, belong to the PDF toolbox cluster, which produced malicious extensions in the past. A cursory code inspection reveals that all four are identical and are in fact clones of Nucleus VPN which was removed from Chrome web store in 2021. And they also don't even work. No VPN connections succeed. The extension not working is something users of Nucleus VPN complained about, which the extension compensated for by loading it up with fake reviews. And again, all of these carry the Featured Extension badge. So it looks like the main criteria for awarding the Featured Badge are the things which can be easily verified automatically, like user count manifest v3 claims to respect privacy not even the privacy policy, merely the right checkbox was checked and a Chrome Web Store listing with all the necessary promotional images. Given how many such extensions are plainly broken, the requirements on the user interface and general extension quality don't seem to be too high, and providing unique functionality definitely is not on the list of criteria. In other words, if you're a Chrome user, the Featured badge is completely meaningless. It's no guarantee that the extension is not malicious, not even an indication. In fact, authors of malicious extensions will invest some extra effort to get the badge. That's because the website algorithm seems to weigh the badge considerably towards the extension's ranking.

Leo Laporte

We will get back to the thrilling, gripping story of the Chrome extension mess in just a second with Steve, but first, a word from our sponsor. This episode of Security now this portion brought to you by Vanta V A N T a Trust is not just earned, it's demanded. Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program, proving your commitment to security has never been more critical or more complex. But Vanta makes it easy. Businesses use Vanta to establish trust by automating compliance across over 35 frameworks, including SOC2ISO 27001. Vanta will help you centralize security workflows, complete questionnaires up to five times faster, and proactively manage vendor risk. Vanta can help you start or scale your security program by connecting you with auditors and experts to conduct your audit and set up your security program quickly. Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on what you really care about building your company. You gotta get the compliance done though, right? That's why over 9,000 global companies like Atlassian Quora Factory use Vanta to manage risk and prove security in real time. For a limited time, you get $1,000 off Vanta right now, but you have to go to vanta.comsecuritynow that's V-A N T A.com securitynow $1,000 off vanta.com securitynow I love their slogan. I see it every time I go up and down Highway 101 in Silicon Valley. V Vanta Compliance that doesn't suck too much. V a n t a.com SecurityNow thank you Vanta for supporting the show. You support us by using that address so they know you saw it here.

Steve Gibson

So finally, how did Google get into this mess? Google Chrome, he writes, first introduced browser extensions in 2011. At that point, the dominant browser extensions ecosystem was Mozilla's. Having been around for 12 years already, Mozilla's extension suffered from a number of issues that Chrome developers noticed. Essentially, unrestricted extension privileges necessitated very thorough reviews before extensions could be published on Mozilla's Add Ons website. And since these extension code reviews largely ride on volunteers, they often took a long time, with publication delays being very frustrating to the Add on developers, he says. Note that I was an extension reviewer on Mozilla Add ons myself between 2015 and 2017, he says. Google Chrome was meant to address all these issues. It pioneered sandboxed extensions, which allowed limiting extension privileges. And Chrome Web Store focused on automated reviews from the very start, relying on heuristics to detect problematic behavior in extensions so that manual reviews would only be necessary occasionally and after the extension was already published. And of course I remember we talked about all of these things when Chrome first happened on this podcast, because it was during the podcast this all happened, he says. Eventually, market pressure forced Mozilla to adopt largely the same approaches, he says. Google's over reliance on automated tools caused issues from the very start, and it certainly didn't get any better. With the increased popularity of the browser, Mozilla accumulated a set of rules to make manual reviews possible. For example, all code should be contained in the extension, so no downloading of extension code from web servers remotely. Also, reviewers had to be provided with an unobfiscated and an unminified version of the source code. Google didn't consider any of this necessary for their automated review systems, so when automated review failed, manual review was often very hard or even impossible. You couldn't fall back, he says. It's only with the recent introduction of manifest V3 that Chrome finally prohibits remotely hosted code. Like in other words, until then, an extension could just download whatever it wanted afterwards, he says. And it took until 2018 to prohibit code obfuscation, which while Google's reviewers still have to reverse minification for manual reviews, he says. Mind you, we are talking about policies that were already long established at Mozilla when Google entered the market in 2011, and extension sandboxing, while without doubt useful, didn't really solve the issue of malicious extensions. I already wrote about this about one issue back in 2016, he says, quoting himself. The problem is useful extensions will usually request give me the keys to the kingdom permission, so these permissions always need to be granted. Essentially this renders permission prompts useless. Users cannot possibly tell whether an extension has valid reasons to request extensive privileges, so legitimate extensions have to constantly deal with users who are confused about why the extension needs to read and change all your data on all websites. Eventually, users become desensitized and trained to simply accept such prompts without thinking twice, and then malicious add ons come along requesting extensive privileges under a pretense Monetization Companies put out guides for extension get this, Monetization companies put out guides for extension developers on how they can request more privileges for their extensions while fending off complaints from users and Google alike. There's a lot of this going on in the Chrome Web store, and Manifest V3 is unable to change anything about it. So what we have now is one automated review tools that malicious actors willing to invest some effort can work around. Second, lots of extensions with the potential for doing considerable damage, yet little way of telling which ones have good reasons for that and which ones abuse their privileges. Third, manual reviews being very expensive and unreliable thanks to historical decisions. And finally fourth, massively inflated extension count due to unchecked spam, those last two manual reviews being very expensive and unreliable thanks to historical decisions and manually inflated extension count due to unchecked spam, he says. Further trap Google in the it needs to be automated mindset because after all, you know, there's 135,000 extensions now and it's completely, completely lost control, he says. Yet adding more automated layers isn't going to solve the issue when there are companies which can put 100 employees on devising new tricks to avoid triggering detection, he says. Yes, hundreds of employees, because malicious extensions make a lot of money and are big business. So what could Google do if Google were interested in making Chrome Web Store a safer place? I don't think there is a way around investing considerable manual effort into cleaning up the place. Taking down a single extension won't really hurt the malicious actors. They have hundreds of other extensions in the pipeline. Tracing the relationships between extensions, on the other hand, and taking down entire clusters that would change things. As the saying goes, the best time to do this was a decade ago. The second best time is right now, when Chrome Web Store, with its somewhat less than 150,000 extensions, is certainly large, but not yet large enough to make manual investigations impossible. Besides, there's probably little point in investigating abandoned extensions, those whose latest release is more than two years ago, which make up almost 60% of the chrome Web Store. And he finishes. But so far Google's actions have been entirely reactive, typically limited to extensions which already caused considerable damage. I don't know whether they actually want to stay on top of this. From the business point of view, there is probably little reason for that. After all, Google Chrome no longer has to compete for market share, having essentially won against all competition. Even with Chrome extensions not being usable, Chrome will likely stay the dominant browser. Okay, so as we so often observe on this podcast, it's certainly useful to tell someone, as I noted at the top, to be careful when they may be considering some action that might have negative consequences for them. But at least for me, if I'm told not to do something in order to really accept that, I want to understand why. I want to understand exactly why something would be bad for me. You know, actually, I think that's why I grew up to respect my father. He was an explainer, so I suppose I come by that honestly.

Leo Laporte

That's where you got it, huh?

Steve Gibson

Yeah, he, he all his explaining approach always made so much sense to me because armed with an understanding, no one needs to tell me anything about what to do or not to do, since I'm able to judge that for myself. So in the case of Google Chrome Web Store extensions, I'm not going to tell anyone not to download and install extensions they feel they need. Rather, everyone who's reached this point in today's podcast is now fully equipped to judge for themselves whether anything that's there may be worth their time. It would be great if Google were able to function as a reliable curator of the 135,000 Chrome web store extensions that are currently available for download. We now absolutely know that for whatever reason, they are unable and or unwilling to do so. So we're individually on our own, knowing all the things that are wrong. Rampant spamming of code, identical extensions under different names, the return of previously removed hostile extensions under different names, an essentially broken extension permissions system, totally bogus. Five star Reviews, conscientious developer reports going completely unheeded, featured extensions having no additional value whatsoever, and more. You know, the title Wladimir gave to his extremely informative blog posting of Chrome Web Store is a mess. Seems entirely fitting. I author these show notes in Google Docs every week. So I'm in a web browser while I'm writing this, and at one point while I was writing this yesterday, I looked up at the top of my browser with the intention to enumerate the browser extensions I'm using. Then I realized with a smile that none of this applies to me. Since I don't use Chrome at all. I'm happily using Firefox where the full strength U block origin still continues to work. While I'm sure that many of the same issues plague Mozilla's extension repository, Vladimir's comments did indicate that Mozilla and Opera may have been far more responsive to abuse reports. And that's important. If nothing else, it's Chrome that has by far the largest market and well, the largest target painted on its back. In this case, I'd rather stick with an also ran browser where the browser I'm using is not as big a target as Chrome.

Leo Laporte

Yeah, and I think also it's probably the case that if you stick to a handful of well known extensions, you're okay. I mean look at that dopey extension he's talking about.

Steve Gibson

You know, Privacy Badger, U block origin. Yeah, you know obviously.

Leo Laporte

I have, I use quite. I. I'm on Arc, which is a Chromium.

Steve Gibson

Right.

Leo Laporte

Derivative. But so I am using Chrome extensions but I stick. I mean I guess it's always possible. I have bit Warden, that's safe. Of course Taggy search, that's saferaindrop IO Snowflake, which I forgot I put on here. That's cool. That's the Tor reflector and ublock origin. I think they're probably all fine. Yes, I don't need a browser extension to set my proxies.

Steve Gibson

And Leo, it's not clear you can even get one. Yeah, there may not be one that actually does that.

Leo Laporte

I'm actually much more concerned and it's true that this is a problem in apps as well with malicious SDKs that either used to be okay or have been co opted or always had a.

Steve Gibson

Little bit of supply chain attacks.

Leo Laporte

Yeah, I mean there's so many of those and so many very few developers write all their code. Almost all apps and I'm sure all extensions too use libraries and other SDKs that could well be malicious. Yeah, that's why you got to use stuff that's trusted. Steve, once again, another fabulous episode of Security now. Thank you so much. We do this show every Tuesday so you can watch us live if you want. And it's always nice to have some live viewers. We are on eight different platforms including YouTube, Twitch, X.com, tikTok, we're on Facebook, we're on LinkedIn, we're on Kik, and of course for our club members, we're on Discord. We do the show Wednesdays right after. I'm sorry, Tuesdays right after Mac break weekly. So that's around 1:30 to 2pm Pacific, 5pm Eastern, 2200 UTC. You can watch it on those live streams after the fact. Of course, you'll get the edited version. You won't get all that good pre show stuff though, I gotta tell you. But at least you can listen at your leisure. Steve Scott a couple of unique copies on his website. Of course he has the show notes@grc.com those are fantastic. He also has human crafted, not AI written, but human crafted transcriptions which is very handy. You could read along as you're listening, which I think really helps with comprehension. I do that on your show notes. You can see a picture of the picture of the day and all of that stuff. He also has a 64 kilobit audio version that's half the size of our normal audio version, 128k. And he has an even smaller 16 kilobit audio version. So all of that@grc.com Steve's website. While you're there, don't forget, pick up a copy of Spinrite. The world's best mass storage maintenance, recovery and performance enhancing utility. 6.1 is out now it's official. It is Steve's bread and butter and is well worth the money. If you have any mass storage, you really should have security. I'm sorry? You should really have spin. Right. You should also have security Now. Absolutely. Lots of other great stuff on the website. And if you want to correspond with Steve, you have to first validate your email address. Go to grc.comemail Enter your address. He'll somehow magically validate that you're a real person. There's also a place there. You could check the check boxes for two of his newsletters. He has this show notes newsletter. You can get that ahead of time. And what's the other one? I don't know. You sent out two, right? Am I wrong?

Steve Gibson

Oh yeah. Well, it's super low traffic. It's GRC's news. So it won't be until the DNS benchmark is ready.

Leo Laporte

But if you want heads up about that, that's worth subscribing to. But again those are not checked by default. You have to opt in@grc.com email. You can get a copy of our 128 kilobit audio or our video at our website, Twitter TV SN. There is a YouTube channel dedicated to Security Now. Great way to share clips of the show. Tell your boss you know, we really ought to get this or whatever and then you can of course subscribe and that's probably the best way to get it. That way you're all set for your Wednesday morning with your security now ready in the phone to listen to Steve. Have a wonderful week. I will see you next. Next week on Security Now.

Steve Gibson

I'll be working on the DNS benchmark code. It's coming along, getting ready. Thanks my friend.

Leo Laporte

Security now.